Collaborate Disseminate
I just got a message from a security guy that my application is executing remote code if they pass a Content-Type: image/asp. For now he does not disclose anything. Now my question is that if I am using ASP.NET 5 MVC application using IIS … Continue reading Content-Type and Code Execution
I am building an asp .net mvc project and I want to save the user who is currently logged in , So I read about sessions and cookies and I found that authentication tokens stored in a cookies are a solution for the problem, So I read about … Continue reading how to deal with with authentication tokens in the client browser and in my database?
As far as I understand, Identity sends to the user an encrypted token with some user information like the user name and expiration date. Then, when a new request arrives to the server, it decrypts it and will have available all the user cl… Continue reading Why ASP.Net Identity sends sensitive information to clients?
The main question here is: If you are using a backend server to authenticate a user with a third party provider such as Auth0, do you need to validate the JWT received in this scenario?
I am looking at the example custom login from Auth0 … Continue reading Validating JWT in server-to-auth-server scenario
I have a web application with a log in page.
In the log in page, I’ve set maxlength for the username input and the password input, which looks like the code below.
@Html.TextBoxFor(m => m.Username, new { @maxlength=”30″})
I want to create a web application with a login form and authenticate with Active Directory account. Our users sometimes use a device that users cannot log in, so we don’t want to use Windows Authentication.
How it’s set up right now is:
… Continue reading Active Directory authentication with a Login form ASP.NET MVC5
I have an MVC application that uses Active Directory membership for user authentication.
After the user logs in, a FormsAuthenticatedTicket is created and encrypted. Then, in Application_PostAuthenticateRequest the ticket is… Continue reading formsauthenticationticket is decrypted with previous login data [migrated]
ASP.NET will soon begin reflecting Google’s decision to default cookies to SameSite=”strict” in a defense against CSRF attacks:
https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-co… Continue reading Preventing CSRF with SameSite="strict" without degrading user experience?
Inside our ASP.NET MVC-4 web application, we have added the Elmah error logging, and I wrote a code to prevent the Elmah from exposing the user password inside the error file. But inside the Elmah error file, I can see other … Continue reading Should HTTP_COOKIE, __RequestVerificationToken, _RequestVerificationToken and .ASPXAUTH be kept secret?
I am currently working on a .NET MVC project with AngularJs 1.XX as front-end and we would like to check the security of our project. I want to know how I can test the application and which tools can be used.
What tools can … Continue reading Web Application Security Testing Steps [on hold]